Re: User Security Question

On 2 Nov, 18:57, Mark D Powell <Mark.Pow..._at_eds.com> wrote:
> On Nov 2, 1:32 pm, HectorTYC <rufus_mi..._at_btinternet.com> wrote:
>
>
>
>
>
> > Database version: 9.2.0.6.0
> > OS = Solaris 8
>
> > I currently work for an organisation that continually shoots itself in
> > the foot with the large amount of unauthorised changes it makes to the
> > production database of the main business application. These changes
> > are being made by a motley bunch of devlopers, support analysts ...
> > pretty much anyone who feels like it really.
>
> > To make matters worse they are doing this using the main schema
> > account (please excuse me if I mangle terminology, I'm not a DBA) used
> > by the application itself, thus leaving no audit trail of who has made
> > these changes. All show as being the application that has made the
> > change, rather than some nut with Toad and a cavalier attitude as is
> > more often the case. Worse; tracing (?) is not turned on so that info
> > is even more limited than it could be.
>
> > I am aware of how bad this is m'kay (on any number of levels) but
> > until I can persuade/force the organisation to plough resource into
> > what is quite a large undertaking, simply changing the password is an
> > appealing but not viable option.
>
> > As an interim measure I am resigning myself to attempting to force
> > people not to use this account using policy and a mixture of begging
> > and loud tutting, however I'd be interested to see if anyone out there
> > has any clever suggestions as to how I could stop people using the
> > application user account without making changes to the account or
> > incurring any DB downtime. I did wonder if it was possible to allow
> > connections by this user from only a list of trusted sources but our
> > DBA thinks this isn't possible.
>
> Too bad you are not US based. I say this because the environment you
> describe is not SOX complaint and almost any audit would have written
> this up as a violation.
>
> As a general rule developers should have update access to production
> data nor should customers except via a provided application screen.
> Unfortunately there are more exceptions than sites that follow this
> basic policy.
>
> Try documenting mistakes that affect production and how much time it
> took to fix the error. Time is money. Most managers at least
> partially understand money and the desirability of not letting others
> waste it.
>
> IMHO -- Mark D Powell --- Hide quoted text -
>
> - Show quoted text -

Hi Mark,

As it happens we're in serious breach (12 counts) of the security standards (BS27001) we already (astoundingly) have certification for. I've already flagged these breaches some time ago.

I appreciate your comments but believe me it's an approach I've already undertaken. I'm an ITIL qualified practitioner of about 6 years experience in change and release and about 15 years in IT in general and agree with all you say, it's not for a lack of trying. Oddly this is an organisation that doesn't place the usual values on things, even money. I'm currently (at last!) in a place where I can maybe force through a couple of policies around this as a result of a couple of recent cock-ups, if not get the budget for the complete overhaul it really requires. I was looking for some sneaky ways to bar access that I could ask our overstretched DBA to implement while the iron was hot so to speak.

Hi David,

It's an application that was developed bespoke by a 3rd party 2 years ago, we're currently entering our 3rd cycle of use (annual) and it's entirely internally supported. We are completely responsible for breaking it ourselves nowadays. ;)

Thanks for the pointers about triggers. I'll mention it to the DBA and see what he thinks.

GazzaG,

That sounds the most useful. Until we can actually get the password changed and do all the work that really needs to be done then just putting in some sort of control that would actually take effort to circumvent would have immense value as to do so would demonstrate an attempt to subvert policy. As it stands it's all so uncontrolled and vague I have sympathy for the folks who're being driven to make these unauthorised changes. Received on Fri Nov 02 2007 - 16:55:32 CDT